Single logout not working - SessionIndex & LogoutNameIdentifier claims are missing

[arjen199]

Hello,

I'm having trouble with troubleshooting single logout with our idp. When i open the url "applicationpath/AuthServices/Logout" it logs me right back in. But using the sustainsys stub idp project all works fine.

After i attached a logging component i found this:

Initiating logout, checking requirements for federated logout
 Issuer of LogoutNameIdentifier claim (should be Idp entity id):
 Issuer is a known Idp: False
 Session index claim (should have a value):
 Idp has SingleLogoutServiceUrl:
 There is a signingCertificate in SPOptions: True
 Idp configured to DisableOutboundLogoutRequests (should be false):

Our serviceprovider/application is an asp.net web forms application which is using Sustainsys/saml2 version 2.3.0 and Systainsys/HttpModule version 2.3.0

When i open the metadata xml file from our IDP it shows a singlelogout url and all that stuff, but to be honest i don't really know what to look at. What might i be missing here?

(I dont have access to the IDP (ADFS) because it is managed by a different organization but i'm able to open tickets which specific technical questions.)

[kent-id]

I suggest going through the browser network tab to see the HTTP requests happening behind the scenes. I find plugins like SAML Message Decoder to also be helpful to see all the SAML requests / responses exchanged.

From the log it also seems that the Single Logout URL is not set in the IdP. So one possible reason for your issue is that hitting /AuthServices/Logout logs you out from the SP but not from the IdP, and then you application tries to re-authenticate with the IdP in which you are still logged in into.

[arjen199]

I've used the SAML-tracer plugin for chrome but it doesn't show any errors or information that indicates that something is wrong. The logging as i posted earlier is the first bit of information that i have that tells me something is wrong. But again when i check the metadata of the idp an singlelougout url is there, everything seems to be there.

[AndersAbel]

For single logout, there are some information that is needed to initiate a logout. Those are stored in special claims (LogoutNameIdentifier and SessionIndex). It looks like none of those are present. Do you clean up your claims somewhere so that they are lost? Can you verify that your Idp issues a SessionIndex (it is required for single logout)

[arjen199]

Do you clean up your claims somewhere so that they are lost?

Not that i know of, i used very little code to implement this solution. Nowhere in my code do i modify, delete claims or anything like that.

Can you verify that your Idp issues a SessionIndex (it is required for single logout)

Would this be visible by using the saml tracer plugin for chrome? Because i used that one.

For me it looks like that plugin only shows the SAML2 request and not the reponse. But that is just an assumption.

When capturing saml2 traffic using the sustainsys stubidp i do see a sessionindex being sent from my browser to the web application (https://applicationurl/AuthServices/Acs) after logging in. However i can't see a saml2 message where it received the sessionindex from.

When capturing saml2 traffic to our company idp it does show a different saml2 message after logging in which contains no sessionindex.

So i want to know what response message i got from the idp which didnt contain the sessionindex. Then i can specifically ask our 'ADFS team' with this information why i'm not receiving a sessionindex.

But how do i get that response message?

[AndersAbel]

Would this be visible by using the saml tracer plugin for chrome? Because i used that one.

Yes, the SAML tracer plugin should show the SessionIndex if there is one. It's an attribute in Response/Assertion/AuthnStatement.

If the SessionIndex is missing, it explains why all the other information in the log message is empty. If there is no SessionIndex attribute, the LogoutNameIdentifier claim is never created, because SessionIndex is required by the specification when doing single logout.

Can you also check if the assertion contains a NameId? It is optional for login, but required for logout to work. And according to https://social.msdn.microsoft.com/Forums/vstudio/en-US/7f3bd35f-b86d-4a31-98f9-9fcdd571c05d/sessionindex-attribute-missing-in-authnstatement-element ADFS generates a SessionID only if there is a NameID.

[arjen199]

Yes! that was indeed the problem. After i requested the nameidentifier claim from our ADFS team, single logout seems to be working. Thank you!